Are Your Passwords Strong Enough? Advice from a Software Tester

Learning about passwords is one step toward learning about application security and safeguarding your information. Karen N. Johnson looks at the password field from the perspectives of a software tester, a business analyst, and a user.

Breaking In

Hired to execute some light-level security testing for a website, I wanted to
check out the site in more detail before visiting the client. I knew a little
bit about the website, but not a lot, and thought I should prepare for the work
by doing some exploring. I couldn’t view much on the website without an
account. Since the client was a B2B, and an account on the website took quite a
bit of information to get started, I couldn’t just create an account on
the fly and look around. On a whim (or perhaps gut instinct), I randomly typed
in something that sounded like a typical account name and password. Within
seconds, I was logged into a production account. Intrigued and a bit frightened,
I had unintentionally logged into someone’s account! And this wasn’t
just any account, either; it belonged to a well-known Fortune 500 company.

I hadn’t even used any hacking tools, rainbow tables, or sophisticated
methods. I had just guessed a likely account name and password, and I was logged
in.

How would I explain to the client at the start of an engagement on security
testing that I’d broken into one of their production client accounts the
day before? But, now that I was logged in, I was a little curious to see what I
could find out about the account. After all, what if I had bad intentions? I
decided to explore a little. The link to My Account seemed like a great place to
begin. Although the credit card information was obscured, I could still view
details about the company that weren’t any of my business. Fearing that
access logs might be recording my every move on the website, I logged out.

This experience specifically—and learning more about security testing
in general—made me think about the significance of the password field. As
a software tester, I test hundreds of data-entry fields, but the account name
and password fields are not "just another pair of entry fields." Since
many websites use email addresses for account names, and it can be easy to get
someone’s email address, a single field—the password field—may
end up being the gatekeeper to accessing an account.

Just how easy is it to crack a password? That depends on how strong the
password is.